Why follow 'secure by default' principles in cybersecurity

Increasing, cybersecurity has gained attention among device manufacturers and end users alike amid reports of breaches and cyberattacks against connected devices, IP cameras included. Against this backdrop, the “secure by default” principles will be demanded by more and more end users.
 
A recent blog post by Axis Communications points out there are multiple threat vectors facing end user entities, ranging from the rarer elite teams of sophisticated hackers to the more common opportunistic hackers who are looking for exploitable vulnerabilities and weaknesses in a network. However, the post pointed out human error and negligence is a big threat as well.
 
“It is a concern that many major data breaches have been reported in recent times due to issues with system configurations, which can usually be attributed to human error,” it said. “While it is widely acknowledged that education regarding the use of new technologies is hugely important, it is also essential that technology vendors support those who are installing and commissioning these systems to minimize human mistakes and configuration issues.”
 
Amid these challenges, users will start to demand that the technologies they procure are designed, manufactured and deployed with a secure by default strategy, the post said.
 
“Secure by default essentially means that a technology has the best security it can have built in, without users even knowing it’s there or having to turn it on,” the post said. “Simply put, a secure by default strategy means taking a holistic approach to solving security problems at the root cause, rather than treating the symptoms of a cybersecurity defect and therefore acting at scale to reduce the overall harm to a system or type of component.”
 

Right security primitives built in

 
According to the post, secure by default covers the long-term technical effort to ensure that the right security primitives are built in to software and hardware. In fact, this concept has gained so much importance that even the newly enforced GDPR requires it.
 
“Previously known as ‘privacy by design’, the GDPR makes ‘data protection and security by design and default’ a legal requirement,” the post said. “Article 25 mandates that, at the time of the determination of the means of the processing and at the time of the processing itself, organizations must put in place appropriate technical and organizational measures designed to implement data protection in an effective manner.”
 
According to the post, Axis has aligned the secure by default principles to recommendations made within the National Cybersecurity Strategy Code of Practice. These are summarized as follows.
 

• Password prompts: In order to access the device, there will be an out-of-box password provided for the user. During the set-up process, we will prompt the user to change the password. There is a strength indicator advising on the effectiveness of the password.

 

• HTTPS encryption: According to the post, Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between the user's browser and the website they are connected to. All communications between the user's browser and the website are encrypted.

 

• 1x: IEEE 802.1X is an IEEE standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols and provides an authentication mechanism for devices wishing to attach to a LAN or WLAN, the post said.

 

• Remote Access DISABLED (NAT traversal): While there are operational benefits to being able to remotely access devices, this is a function that needs to be enabled and the necessary procuration should be followed when this has been enabled to protect the device, the post said.